-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 dbcooper wrote: > Hello, > > I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and all > the needed plugs). > > I'm getting the following messages when using SELinux in Target/Enabled > mode. > > My knowledge is very limited with SELinux and I'm trying to learn the proper > way to troubleshoot/resolve issues on my own, and hopefully I can use > this as my firts learning curve with it. > > Thanks for any suggestions. > > --------------------------------------------------------------------------------------------------------------- > Summary: > > SELinux is preventing ping (ping_t) "read" to > /var/spool/nagios/cmd/nagios.cmd > (nagios_spool_t). > > Detailed Description: > > SELinux denied access requested by ping. It is not expected that this access > is > required by ping and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:ping_t:s0 > Target Context unconfined_u:object_r:nagios_spool_t:s0 > Target Objects /var/spool/nagios/cmd/nagios.cmd [ fifo_file ] > Source ping > Source Path /bin/ping > Port <Unknown> > Host xxxxxxxxxx > Source RPM Packages iputils-20071127-2.fc9 > Target RPM Packages > Policy RPM selinux-policy-3.3.1-84.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name xxxxxxxxxxxxxx > Platform Linux xxxxxxxxxxxxx 2.6.25.14-108.fc9.i686 #1 > SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686 > Alert Count 23 > First Seen Sun 17 Aug 2008 02:06:45 AM EDT > Last Seen Mon 18 Aug 2008 06:11:31 PM EDT > Local ID 67986880-653f-455c-88bb-5598d451bb14 > Line Numbers > > Raw Audit Messages > > host=xxxxxxxxxxx type=AVC msg=audit(1219097491.87:211): avc: denied { read > } for pid=6420 comm="ping" path="/var/spool/nagios/cmd/nagios.cmd" dev=dm-0 > ino=728571 scontext=system_u:system_r:ping_t:s0 > tcontext=unconfined_u:object_r:nagios_spool_t:s0 tclass=fifo_file > > host=xxxxxxxxxxxxx type=SYSCALL msg=audit(1219097491.87:211): arch=40000003 > syscall=11 success=yes exit=0 a0=96dda38 a1=96ddb18 a2=bfec6ae4 a3=0 items=0 > ppid=6419 pid=6420 auid=4294967295 uid=493 gid=489 euid=0 suid=0 fsuid=0 > egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="ping" > exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) > > --------------------------------------------------------------------------------------------------------- > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This is a classic leaked file descriptor. Obviously ping has no business reading the nagios spool file, it would know nothing about this file, but nagios has a open file descriptor to the fifo_file when it execs ping. ping inherits the open file descriptor. The kernel checks the ping policy to see if ping can read the fifo file, when it finds it can not, it reports a violation, closes the file desctriptor for ping and reopens it with /dev/null. It then completes the startup of ping. You should report this as a bug to nagios. They should execute fcntl(fd, F_SETFD, FD_CLOEXEC) on all open file descriptors before fork/exec of any subprocess. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkir94kACgkQrlYvE4MpobP7pQCfblWcSW3EIrq2eSIMSPYdXE2h qscAoMsUbUVRp5rs2wOYNp9zsQ0AaaQz =IyRr -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
